Skip to content

Commit

Permalink
buffer: coerce slice parameters consistently
Browse files Browse the repository at this point in the history
As shown in #9096, the offset and
end value of the `slice` call are coerced to numbers and then passed to
`FastBuffer`, which internally truncates the mantissa part if the number
is actually a floating point number. This actually affects the new
length of the slice calculation. For example,

    > const original = Buffer.from('abcd');
    undefined
    > original.slice(original.length / 3).toString()
    'bc'

This happens because, starting value of the slice is 4 / 3, which is
1.33 (approximately). Now, the length of the slice is calculated as
the difference between the actual length of the buffer and the starting
offset. So, it becomes 2.67 (4 - 1.33). Now, a new `FastBuffer` is
constructed, with the following values as parameters,

 1. actual buffer object,
 2. starting value, which is 1.33 and
 3. the length 2.67.

The underlying C++ code truncates the numbers and they become 1 and 2.
That is why the result is just `bc`.

This patch makes sure that all the offsets are coerced to integers
before any calculations are done.

Fixes: #9096
PR-URL: #9101
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
  • Loading branch information
thefourtheye authored and jasnell committed Oct 18, 2016
1 parent 63d8a29 commit 01c7796
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 4 deletions.
7 changes: 3 additions & 4 deletions lib/buffer.js
Original file line number Diff line number Diff line change
Expand Up @@ -807,11 +807,10 @@ Buffer.prototype.toJSON = function() {


function adjustOffset(offset, length) {
offset = +offset;
if (offset === 0 || Number.isNaN(offset)) {
offset |= 0;
if (offset === 0) {
return 0;
}
if (offset < 0) {
} else if (offset < 0) {
offset += length;
return offset > 0 ? offset : 0;
} else {
Expand Down
10 changes: 10 additions & 0 deletions test/parallel/test-buffer-slice.js
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,13 @@ assert.strictEqual(Buffer.alloc(0).slice(0, 1).length, 0);

// slice(0,0).length === 0
assert.strictEqual(0, Buffer.from('hello').slice(0, 0).length);

{
// Regression tests for https://github.com/nodejs/node/issues/9096
const buf = Buffer.from('abcd');
assert.strictEqual(buf.slice(buf.length / 3).toString(), 'bcd');
assert.strictEqual(
buf.slice(buf.length / 3, buf.length).toString(),
'bcd'
);
}

0 comments on commit 01c7796

Please sign in to comment.